[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dreamhost/AS26347 unauthorized bgp announcement

They're doing this to our routes in any2 in LA as well.


-----Original Message-----
From: Job Snijders [mailto:job.snijders at atrato.com] 
Sent: Wednesday, March 06, 2013 4:04 AM
To: Matsuzaki Yoshinobu
Cc: nanog at nanog.org
Subject: Re: Dreamhost/AS26347 unauthorized bgp announcement

Hi Mat,

I see the same thing, we learn the prefix from the route-server in LAX: 

telnet at r1.lax1.us>show ip bgp routes detail Number of BGP Routes matching display condition : 1 Status A:AGGREGATE B:BEST b:NOT-INSTALLED-BEST C:CONFED_EBGP D:DAMPED
1       Prefix:,  Status: BE,  Age: 0h22m15s
         NEXT_HOP:, Metric: 0, Learned from Peer: (19996)
          LOCAL_PREF: 400,  MED: none,  ORIGIN: incomplete,  Weight: 0
         AS_PATH: 26347
            COMMUNITIES: 5580:12431
            Adj_RIB_out count: 18,  Admin distance 20
       Last update to IP routing table: 0h22m15s, 1 path(s) installed:

Kind regards,


On Mar 6, 2013, at 9:59 AM, Matsuzaki Yoshinobu <maz at iij.ad.jp> wrote:

> According to RIPE RIS, AS26347 announced a bunch of prefixes again.
> - http://www.ris.ripe.net/dashboard/26347
> First suspicious announcement was started 2013-03-06 07:52:40 UTC, and 
> last seen 2013-03-06 08:33:56 UTC.  195 prefixes total.
> It seems these unauthorized announcements have the same profile as 
> before - AS26347 shrinks the prefix lenght of their received prefix 
> somehow upto /20, and re-originates the prefix with origin AS26347.
> Any known bugs?
> Regards,
> -----
> Matsuzaki Yoshinobu <maz at iij.ad.jp>
> - IIJ/AS2497  INOC-DBA: 2497*629

AS5580 - Atrato IP Networks